Most of the good thrillers I tend to watch have spies and assassins in them for some diabolical reason. In those movies you'll often find their target, the Archduke of Villainess, holed up in some remote local and the spy has to fake an identity in order to penetrate the layers of defense. Almost without exception the spy enters the country using a fake passport; relying upon a passport from any country other than their own.

Like any good story, there's enough truth to the fiction to make it believable. Take the real-life example of the hit squad that carried out the assassination of a Hamas official in Dubai early 2010. That squad (supposedly Israeli) used forged passports from the United Kingdom, Ireland, France and Germany.

So, with that bit of non-fiction in mind, why do so many people automatically assume that cyber-attacks sourced from IP addresses within China are targeted, state-sponsored, attacks? Are people missing the plot? Has the Chinese APT leapfrogged fact and splatted in to the realm of mythology already?

If you're manning a firewall or inspecting IPS log files, you can't have missed noticing that there's a whole bunch of attacks being launched against your organization from devices hosted in China on a continuous basis. A sizable fraction of those attacks would be deemed to be "advanced"; meaning that as long as they're more advanced than the detection technology you're using, they're as advanced as they need to be to get the job done.

Are these the APT's of lore? Are these the same things that government defense departments and contractors quake in their boots? There's a simple way to tell. If what you're observing in your own logs shows the source as being from a Chinese IP address it almost certainly isn't.

Yes, there's a tremendous amount of attack traffic coming from China, but this should really be categorized as the background hum of the modern Internet. China, as the most populous country on the planet, isn't exempt from having more than its fair share of Internet scoundrels, wastrels, hackers and cyber-criminals — spanning the full spectrum of technical capability and motivations. Even then, the traffic originating from China may not be wholly from criminals based there — instead it may also contain attack traffic tunneled through open proxies and bot infected hosts within China by other international cyber-criminals.

When we're talking about cyber-warfare and state-sponsored espionage, we're not talking about a bunch of under-graduate hackers.

Just about every country I can think of with a full-time professional military force has been investing in their cyber capabilities — both defense and attack. While they're not employing the crème de la crème of professional hacking talent, they are professional and have tremendous resources behind them, and they follow a pretty strict and well thought-out doctrine. If you're in the Chinese Army and have been tasked with facilitating a particular espionage campaign or to aid a spy mission, the last thing on earth you're going to do is to launch or control your assets from an IP address that can be easily traced back to China. Anywhere else in the world is good, and an IP address in a country that your foe is already suspicious of (or fully trusting of) is way better.

Don't get me wrong though, I'm not singling out the Chinese for any particular reason other than most readers would be familiar with the hoopla of Chinese APTs in the media. Any marginally competent adversary is going to similarly launch their attacks from a foreign source if they're planning on maintaining deniability should the attack ever be noticed — just like those spy tactic of using foreign passports.

So, if you're so inclined, how are you going to get access to foreign resources that can proxy and mask your attacks? Elementary my dear Watson, there's a market for that. First of all there's a whole bunch of free and commercial anonymizing proxies , routers and VPN's out there — but they may not be stable enough for conducting a prolonged campaign (and besides, they're probably already penetrated by a number of government entities already). Alternatively you could buy access to already compromised systems and hijack them for your own use.

Over the last five years there have been a bunch of boutique threat monitoring and threat feed companies spring up catering almost exclusively to the needs of various national defense departments. While they may offer 0-day vulnerabilities, reliable weaponized exploits and stealthy remote access Trojans, their most valuable offering in the world of state-sponsored espionage is arguably the feed of intelligence harvested from the sinkholes they control. Depending upon the type of sinkhole they're fortunate to be operating, and which botnet or malware campaign that happened to utilize the hijacked domain, they're going to have access to a real-time feed of known victim devices from around the world, copies of all the data leached from the victims by the malware and, in some cases, the ability to remotely control the victim device. Everything a cyber-warfare unit is going to need to hijack and usurp control of a foreign host, and launch their stealthy attack from.

Now, if I was say working within the cyber-warfare team of the French Foreign Legion or perhaps the DGSE (General Directorate for External Security) and interested in gathering secret intelligence about the investment Chinese companies are making in sub-Sahara mineral resources, I'd probably launch my attack from a collection of bot-infected hosts located within US or Australian universities. The security analysts and incident response folks working at those Chinese companies are probably already seeing attack traffic from these sources off-and-on, so my more specialized and targeted attack would unlikely raise suspicion. Should the targeted attack eventually be discovered, the Chinese would simply blame the US and Australian governments — rather than the French.

Having said all that, you've probably seen movies with double-agents in them too. And it's entirely possible that someone hair-brained enough would argue that China launches attacks from their own IP space because everyone knows that you shouldn't, and therefore the assumption needs to be that attacks launched from China are clearly not from the Chinese government — while they are in fact. How very cunning. Now there's a twist for the next spy movie.

By Gunter Ollmann, CTO at NCC Group Domain Services. More blog posts from Gunter Ollmann can also be read here.

Comments

You might factor in another variable here - what is being targeted and who does it benefit?Suresh Ramasubramanian – Apr 12, 2012 9:02 PM PDT

Cui bono? as a lawyer would ask.

I mean, for just about all the rest of the world, the Tibetans are yet another "oppressed minority" type and the Dalai Lama is a nice old man who gets photographed with presidents and gives nice lectures at universities.

For the chinese, that man is worse than a red rag to a bull and brings out all the mao era cant phrases, freely larded with abuse like "splittist" and "evil"

So when you get attack traffic from china targeting tibetan "leadership" types .. or indeed, any sort of attack traffic aimed at the tibetans, you would generally expect china to be in there somewhere.

Or similarly when you get a fortune 500 compromised and then some small town in china suddenly has a new plant that's using that very same technology before the year is out.

It would be stupid to believe that all attack traffic from china is a chinese government plot to destabilize the internet. It would be equally stupid to believe that nothing of the sort ever goes on and they're pure as the driven snow.

[you can say that to more or less an extent for just about any other country in the world - you won't find me disagreeing with that]